Maze Ransomware Expanded Double-Extortion Tactics and Targeted Intrusions
The Maze ransomware operation evolved from earlier exploit-kit activity associated with “ChaCha ransomware” into a prominent double-extortion threat that stole data before encrypting systems and then pressured victims by publishing stolen files on dedicated leak sites. Operators built a public reputation around naming victims, courting media attention, and using data exposure as leverage to increase the likelihood of ransom payments.
Maze infections were delivered through multiple channels, including spam campaigns impersonating government tax agencies and later more targeted compromises through Remote Desktop Protocol (RDP) access and network exploitation. Sophos reported that the malware used heavy obfuscation, anti-analysis checks, persistence mechanisms, system and network reconnaissance, HTTP POST data exfiltration, and file encryption based on RSA and ChaCha20, while also showing selective behavior such as adjusting demands for home versus corporate systems and easing pressure in some medical-sector cases during COVID-19.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Maze adopts selective behavior during the COVID-19 period
The report notes that during COVID-19, Maze at times avoided some medical targets and in certain cases reduced pressure, reflecting a selective operational approach.
Maze shifts to targeted intrusions via RDP and network exploitation
According to Sophos, Maze later moved beyond broad delivery methods and conducted targeted intrusions using Remote Desktop Protocol access and network exploitation.
Maze expands delivery to tax-themed spam campaigns
The report describes Maze being distributed through spam campaigns impersonating government tax agencies as part of its delivery evolution.
Maze starts publicly leaking victim data on dedicated sites
Sophos reports that Maze distinguished itself by publicizing victims and operating dedicated victim and leak sites to increase extortion pressure through public exposure.
Maze evolves into a public extortion-focused ransomware brand
The operation developed into Maze, a higher-profile ransomware brand that combined encryption with data theft and pressure tactics aimed at forcing victims to pay.
Maze begins as ChaCha ransomware via exploit kits
Sophos says the operation started under the earlier 'ChaCha ransomware' label and was initially delivered through exploit kits before evolving into the Maze brand.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Maze Ransomware Expanded Double-Extortion Attacks Against Enterprises
The Maze ransomware operation escalated from file encryption to **double extortion**, stealing data from victims and threatening public leaks unless ransom demands were paid. Sophos reported that the group spent roughly a year refining this model, using intrusions against enterprise networks to maximize pressure on organizations already facing operational disruption from ransomware. The campaign helped normalize a tactic that later spread widely across the ransomware ecosystem: combining encryption with data theft and public shaming to force payment. Maze’s activity showed how ransomware groups were evolving into full-scale extortion operations, increasing legal, financial, and reputational risk for affected companies beyond the immediate impact of locked systems.
May 25, 2026
Egregor Ransomware Used Cobalt Strike and Rclone in Double-Extortion Attacks
The **Egregor** ransomware operation carried out double-extortion attacks by stealing sensitive data, encrypting victim systems, and threatening to publish stolen information on a leak site if victims refused to pay. Researchers linked Egregor to an ecosystem associated with **Sekhmet** and possible former **Maze** affiliates, with additional reported ties to **ProLock** and **LockBit**. Victims cited in reporting included **GEFCO**, **Barnes & Noble**, and **Ubisoft**, while the group’s leak site reportedly listed **152 victim companies** across industries including information technology, construction, retail, consumer goods, and automotive. Intrusions commonly began with **phishing** or **RDP exploitation**, after which attackers used **Cobalt Strike** for payload delivery and in some cases leveraged **QBot** and living-off-the-land tools such as `bitsadmin`. The malware used heavily obfuscated DLL payloads with **Salsa20**-encrypted configuration data, required a sample-specific launch key passed with the `-p` parameter, and encrypted files with **ChaCha** and **RSA-2048**. Researchers also observed the group using **Rclone** with attacker-supplied configuration data to exfiltrate stolen files, while the ransomware appeared to avoid encrypting systems configured with several CIS-region languages.
Mar 29, 2024
RansomHouse Ransomware Upgrades with Double Extortion and Advanced Encryption
RansomHouse, operated by the group known as Jolly Scorpius, has significantly evolved its ransomware-as-a-service (RaaS) platform by integrating a double extortion strategy that combines data theft with encryption. This approach increases pressure on victims by threatening both operational disruption and public data leaks. Since December 2021, RansomHouse has targeted at least 123 organizations across critical sectors such as healthcare, finance, transportation, and government, resulting in substantial financial losses and severe data breaches. The group employs a sophisticated attack chain, with roles divided among operators, attackers, and infrastructure providers, and often gains initial access through spear-phishing or exploiting vulnerable systems. Once inside, attackers use specialized tools to maximize impact, particularly targeting VMware ESXi hypervisors to encrypt large numbers of virtual machines simultaneously, amplifying operational disruption. Recent technical analysis reveals that RansomHouse has upgraded its encryption methods from a simple, linear approach to a more complex, multi-layered technique, making detection and recovery more challenging for defenders. The toolkit includes the 'MrAgent' management and deployment tool, which automates ransomware deployment and maintains persistent connections to command-and-control servers, and the 'Mario' encryptor, which represents the latest advancement in their arsenal. These upgrades, combined with the double extortion model, have made RansomHouse a formidable threat, prompting security vendors to enhance their protective measures and urging organizations to remain vigilant against this evolving ransomware operation.
Mar 21, 2026